Confounded by Conficker: not so Dozy

If you just got here looking for my blog on Conficker and "blended hoaxes", I’m afraid I just pulled it (temporarily at least) in the light of new data that’s come in since last night: I don’t want to mislead anyone, as it seems that the new Conficker stuff is a lot more active and interesting than it appeared on preliminary analysis.

I’m looking at data right now: in the meantime, our guys in Slovakia have put out a release here that gives you the gist and a full description here.

The most interesting and surprising new feature is that doesn’t contact any of the control domains, even though it originally operated with up to 50 000 domains a day. The new variant, which we call Win32/Conficker.AQ, communicates only within its own peer-to-peer network.

It seems likely that the Conficker gang are trying to throw us off because of the media attention and close analysis by the security industry: I imagine that all the fuss has made it difficult for them to run it as originally intended.

The new variant has two main components. The server component infects vulnerable PC’s in the network using the same vulnerability described in MS08-067 (you did update, didn’t you?), installing the client component so as to recruit them into the Conficker botnet. However, the server component will deactive and remove itself after May 3rd, though the client will remain active.

Conficker’s botnet is already larger than most, but it looks to me as if the gang are back trying to grow it. I still don’t think it’s going to do “enormous harm” in terms of a monster attack: that isn’t likely to be cost effective for the botmasters.

What they are doing right now, I’d say, is adapting to compensate for the fact that Conficker has been rather heavily analysed, and to make it harder for us to forestall them on the basis of previous analyses.

It’s funny how on this blog you have been trying to downplay the Conficker worm… and now you’re coming up with several posts about how it does this and that… and oh maybe we need to revise our previous tone.

[Quote removed because it came from a blog that I removed when new data came in, precisely because of the risk of causing confusion.]

How many times are you going to change your mind? Is it a real threat or as you say “I still donâ€™t think itâ€™s going to do â€œenormous harmâ€ in terms of a monster attack: “. How exactly do you know that for sure?

Please try and be consistent, as some readers here who have RSS feeds are getting confused by posts that conflict with one another.

Cheers.

Randy Abrams

I can’t speak for David Harley, but I can tell you this much. if you would simply listen to me you would not be at all confused. Take the proper security precautions for dealing with all threats and you don’t have to worry about conficker. If you are worried about conficker then you need to get educated. conficker is only a threat who leave themselves exposed to hundreds, if not thousands of worse threats. do you drive around only worried, or particularly worried about one make and model of car on the road? Do you drive less defensively if there is a toyota on the road with you than if there is a Honda on the road with you? Conficker is one of thosands of threats. worry about security, not the specific threat… it’s the only intelligent approach.

Randy Abrams
Director of Technical Education

David Harley

Ironic, really, given that this industry is consistently accused of hypeing threats, that I’m being accused here of “playing down” Conficker.

No-one said that Conficker doesn’t present a threat and never will: rather that there was very little information on what would happen on April 1st, and no particular reason to expect the end of the world, and that there were plenty of other threats to take at least as seriously. In the past few days, there has been a lot more -real- information (as opposed to speculation, some of it very wild indeed), naturally I’ve passed some of it on, but it still isn’t the end of the world.

There’s nothing inconsistent between our position before – “don’t get into a panic, but take all reasonable precautions” – and after: there’s a big difference between passing on hard data and yelling “the sky is falling”.

I haven’t “changed my mind”: more data came in and made it clear that there were, contrary to first impressions, significant changes in the latest variant. The blog you quoted was replaced with one that was a better reflection of the later data. My point was that the Conficker story has acquired a mythic dimension that was, for a while, aggravated by near-inactivity on the part of the botnet: I evidently didn’t make that clear enough.

Conficker is and always was a “real threat”: there are millions of infected PCs out there somewhere, and that’s no hoax. However, that doesn’t mean there’s going to be a “monster attack” on the internet. I -don’t- know for sure that there won’t be, of course, but it’s unlikely to happen unless the Conficker gang can see a profit in it, whereas there are certainly ways in which they can profit -without- bringing down the ‘net.

Given the apparent size of the botnet, there could be very large-scale attacks on individual targets: DDoS attacks, for instance. That’s quite a different issue, though, and not at all novel.